killvxk/analyzing-api-gateway-access-logs
skills/analyzing-api-gateway-access-logs/SKILL.md
解析 API 网关访问日志(AWS API Gateway、Kong、Nginx),检测 BOLA/IDOR 攻击、速率限制绕过、凭据扫描和注入尝试。使用 pandas 进行请求模式的统计分析和异常检测。适用于调查 API 滥用或构建 API 专项威胁检测规则。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh analyzing-api-gateway-access-logsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:47 PM12.2s3 files scanned
SKILL.md
- name:
- analyzing-api-gateway-access-logs
- description:
- >
- domain:
- cybersecurity
- subdomain:
- security-operations
- tags:
- [analyzing, api, gateway, access]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
分析 API 网关访问日志
使用说明
解析 API 网关访问日志,识别攻击模式,包括对象级别授权缺失(BOLA)、过度数据暴露和注入尝试。
import pandas as pd
df = pd.read_json("api_gateway_logs.json", lines=True)
# 检测 BOLA:同一用户访问大量不同资源 ID
bola = df.groupby(["user_id", "endpoint"]).agg(
unique_ids=("resource_id", "nunique")).reset_index()
suspicious = bola[bola["unique_ids"] > 50]
关键检测模式:
- BOLA/IDOR:顺序资源 ID 枚举
- 通过 Header 操纵绕过速率限制
- 凭据扫描(单一来源的 401 激增)
- 查询参数中的 SQL/NoSQL 注入
- 只读端点上的异常 HTTP 方法(DELETE、PATCH)
示例
# 检测 401 激增,指示凭据扫描
auth_failures = df[df["status_code"] == 401]
scanner_ips = auth_failures.groupby("source_ip").size()
scanners = scanner_ips[scanner_ips > 100]
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026